Techniques for detecting false positive return-oriented programming attacks

ABSTRACT

Various embodiments are generally directed to an apparatus, method and other techniques to determine whether a target address of a register for an execution instruction is valid or invalid based on a comparison between the target address and one or more valid target addresses stored in a storage, increase a number of invalid target addresses if the target address is invalid, and determine whether the number of invalid target addresses is greater than an invalid target address threshold. Various embodiments may also include initiating a security measure to prevent a security breach if the number of invalid target addresses is greater than the invalid target address threshold or executing the execution instruction if the number of invalid target addresses is less than or equal to the invalid target address threshold.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application is a continuation of, claims the benefit of, and claimspriority to U.S. patent application Ser. No. 14/582,114 filed on Dec.23, 2014, the subject matter of which is hereby incorporated herein byreference in its entirety.

TECHNICAL FIELD

Embodiments described herein generally relate to techniques fordetecting malware and virus attacks against computing systems and fordetermining false positive attacks.

BACKGROUND

Computer exploits are techniques which may be used to compromise thesecurity of a computer system or data. Such exploits may take advantageof a vulnerability of a computer system in order to cause unintended orunanticipated behavior to occur on the computer system. For example,during a Return-Oriented Programming (ROP) attack a series of snippetsof code that are already available in executable memory (e.g., portionsof existing library code), and which are followed by a returninstruction (e.g., a RET instruction) may be chained together into adesired execution sequence by pushing a series of pointer values ontothe call stack and then tricking the code into execution the firstpointer value. This chained execution sequence does not follow theintended program execution order that the original program authorintended, but may instead follow an alternative execution sequence. Inthis manner, an attacker may create a virtual program sequence withoutrequiring injection of external code.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 illustrates an embodiment of a computing device.

FIG. 2 illustrates an embodiment of an information flow diagram.

FIG. 3 illustrates a second embodiment of an information flow diagram.

FIG. 4 illustrates a third embodiment of an information flow diagram.

FIG. 5 illustrates a fourth embodiment of an information flow diagram.

FIG. 6 illustrates a fifth embodiment of an information flow diagram.

FIG. 7 illustrates a sixth embodiment of an information flow diagram.

FIG. 8 illustrates an embodiment of a logic flow diagram.

FIG. 9 illustrates a second embodiment of a logic flow diagram.

FIG. 10 illustrates an exemplary embodiment of a computing system.

FIG. 11 illustrates an exemplary embodiment of a computing architecture.

DETAILED DESCRIPTION

Various embodiments are generally directed to an apparatus, system andmethod to detect various types of code reuse attacks includingreturn-oriented programming (ROP) attacks. More specifically, validtarget addresses for branch instructions may be determined either priorto or during execution of instructions for applications and thenvalidated. However, in some instances, a target address may bedetermined as invalid even though it is a valid target address. Forexample, a target address for an instruction may change between when thedetermination process when the valid target address is determined andthe validation process. Therefore, during the validation process thetarget address may be indicated as invalid, however, it is actually avalid target address. Some embodiments are directed to detecting thesefalse-positive detections.

As discussed, during a ROP attack a series of snippets of code that arealready available in executable memory (e.g., portions of existinglibrary code), and which are followed by a return instruction (e.g., aRET instruction) may be chained together into a desired executionsequence. Moreover, one of the hallmarks of an ROP attack is that anumber of redirecting instructions may be used to take over controlflow. These redirecting instruction may occur in a row, or in somecases, valid instructions may be permitted to be executed in betweenredirecting instructions during an attack to try to prevent detection ofthe attack. Thus, some embodiments may be directed to using a twocounter approach to filter out false positives from actual ROP attacks.

For example, some embodiments may include an invalid target addresscounter to track a number of detected invalid target addresses.Additional, an execution instruction counter may be utilized todetermine a number of valid execution instructions executed in-betweeneach invalid target address detection. Only when both counters reachdetermined threshold values will a security measure be initiated, forexample. Thus, the two-counter approach may be used to filter out afalse-positive attack while also detecting an attackers attempt toinsert valid execution instruction in-between redirecting instructions.These and other details will become more apparent with the followingdescription.

Various embodiments also relate to an apparatus or systems forperforming these operations. This apparatus may be specially constructedfor the required purpose or it may include a general-purpose computer asselectively activated or reconfigured by a computer program stored inthe computer. The procedures presented herein are not inherently relatedto a particular computer or other apparatus. Various general-purposemachines may be used with programs written in accordance with theteachings herein, or it may prove convenient to construct morespecialized apparatus to perform the required method. The requiredstructure for a variety of these machines will appear from thedescription given.

Reference is now made to the drawings, wherein like reference numeralsare used to refer to like elements throughout. In the followingdescription, for purposes of explanation, numerous specific details areset forth in order to provide a thorough understanding thereof. It maybe evident, however, that the novel embodiments can be practiced withoutthese specific details. In other instances, well-known structures anddevices are shown in block diagram form in order to facilitate adescription thereof. The intention is to cover all modifications,equivalents, and alternatives consistent with the claimed subjectmatter.

FIG. 1 illustrates an embodiment of a computing device 101 to processinformation and data. In some embodiments, computing device 101 mayinclude a number of components, modules and processing circuitry todetect and process return-oriented programming (ROP) attacks byverifying target addresses of instructions. Computing device 101 mayalso include a number of components to detect and manage false positivedetections of ROP attacks.

Computing device 101 may include one or more processing units 102,memory 104, one or more interfaces 106 and storage 108. In someembodiments, the one or more processing units 102 may be one or more ofany type of computational element, such as but not limited to, amicroprocessor, a processor, central processing unit, digital signalprocessing unit, dual core processor, mobile device processor, desktopprocessor, single core processor, a system-on-chip (SoC) device, complexinstruction set computing (CISC) microprocessor, a reduced instructionset (RISC) microprocessor, a very long instruction word (VLIW)microprocessor, or any other type of processor or processing circuit ona single chip or integrated circuit. The one or more processing units102 may be connected to and communicate with the other elements of thecomputing device 101 via interconnects (now shown), such as one or morebuses, control lines, and data lines. In some embodiments, the one ormore processing units 102 may include processor registers or a smallamount of storage available the processing units to store informationincluding instructions that and can be accessed during execution.Moreover, processor registers are normally at the top of the memoryhierarchy, and provide the fastest way to access data.

As mentioned, the computing device 101 may include memory 104 to storeinformation. Further, memory 104 may be implemented using anymachine-readable or computer-readable media capable of storing data,including both volatile and non-volatile memory. In some embodiments,the machine-readable or computer-readable medium may include anon-transitory medium. The embodiments are not limited in this context.

The memory 104 can store data momentarily, temporarily, or permanently.The memory 104 stores instructions and data for computing device 101.The memory 104 may also store temporary variables or other intermediateinformation while the one or more processing units 102 is executinginstructions. In some embodiments, information and data may be loadedfrom memory 104 into the computing registers during processing ofinstructions. Manipulated data is then often stored back in memory 104,either by the same instruction or a subsequent one. The memory 104 isnot limited to storing the above discussed data; the memory 104 maystore any type of data.

The one or more interfaces 106 includes any device and circuitry forprocessing information or communications over wireless and wiredconnections. For example, the one or more interfaces 106 may include areceiver, a transmitter, one or more antennas, and one or more Ethernetconnections. The specific design and implementation of the one or moreinterfaces 106 may be dependent upon the communications network in whichthe computing device 101 is intended to operate.

For example, the computing device 101 may include a communicationinterface designed to operate in GSM with General Packet Radio Service(GPRS) systems (GSM/GPRS), CDMA/IxRTT systems, Enhanced Data Rates forGlobal Evolution (EDGE) systems, Evolution Data Only or Evolution DataOptimized (EV-DO) systems, Evolution For Data and Voice (EV-DV) systems,High Speed Downlink Packet Access (HSDPA) systems, High Speed UplinkPacket Access (HSUPA), and so forth. data communications networks, andalso designed to operate with any of a variety of voice communicationsnetworks, such as may include Code Division Multiple Access (CDMA)systems, Global System for Mobile Communications (GSM) systems, NorthAmerican Digital Cellular (NADC) systems, Time Division Multiple Access(TDMA) systems, Extended-TDMA (E-TDMA) systems, Narrowband AdvancedMobile Phone Service (NAMPS) systems, third generation (3G) systems suchas Wide-band CDMA (WCDMA), CDMA-2000, Universal Mobile Telephone System(UMTS) systems, and so forth. Other types of data and voice networks,both separate and integrated, may also be utilized with computing device101. The computing device 101 may also be compliant with othercommunications standards such as 3GSM, 3GPP, UMTS, 4G, etc. In someembodiments, the computing device 101 may be designed to operate in aplurality of communications networks and is not limited to a specificnetwork.

In various embodiments, the one or more interfaces 106 may include oneor more I/O controllers (not shown) to output any signals andinformation. The I/O controller may enable communication over wirelessand wired connections. In various embodiments, the I/O controller may beseparate component or module of computing device 101.

Computing device 101 may include storage 108 which may be implemented asa non-volatile storage device such as, but not limited to, a magneticdisk drive, optical disk drive, tape drive, an internal storage device,an attached storage device, flash memory, battery backed-up SDRAM(synchronous DRAM), and/or a network accessible storage device. Inembodiments, storage 108 may include technology to increase the storageperformance enhanced protection for valuable digital media when multiplehard drives are included, for example. Further examples of storage 108may include a hard disk, floppy disk, Compact Disk Read Only Memory(CD-ROM), Compact Disk Recordable (CD-R), Compact Disk Rewriteable(CD-RW), optical disk, magnetic media, magneto-optical media, removablememory cards or disks, various types of DVD devices, a tape device, acassette device, or the like. The embodiments are not limited in thiscontext.

Further and as illustrated in FIG. 1, the computing device 101 mayinclude a number of components and modules to store and processinformation and instructions to detect and manage ROP attacks. Forexample, computing device 101 may include a translator component 142, acomparison component 144, a validation component 146 and a securitycomponent 148. Computing device 101 may also include one or morelibraries 112, white list data 114, an invalid target address counter116, and an execution instruction counter 118. The computing device 101may also include one or more applications 120 that each may have a mainroutine 122 and execution instructions 124 that can be executed andprocess information and data. In some embodiments, the computing device101 may also include cache 130 having a translator cache 132 and one ormore lookup tables 134 which may be stored in storage 108 and/or memory104.

As will become apparent with the following description, the components,libraries, data, counters, and cache may be utilized to detect andmanage ROP attacks of applications. Further and in some embodiments, oneor more components, such as the translator component 142, the comparisoncomponent 144, the validation component 146, and the security component,may be stored in storage 108. Similarly, libraries 112, white list data114, counters 116 and 118, and the application 120 including the mainroutine 122 and execution instructions 124 may also be stored in storage108 and executed while in memory 104. However, various embodiments arenot limited in this manner and in some embodiments the components,libraries 112, white list data 114, counters 116 and 118, andapplications 120 may be stored in memory 104 or remotely and accessedvia one or more wireless or wired connections.

In various embodiments, the computing device 101 including thetranslator component 142, the comparison component 144, the validationcomponent 146 and the security component 148 may be used to detect ROPattacks, detect false positive, perform security measures, and so forthfor applications 120 executing on computing device 101. Applications 120may be any type of application including, but not limited to, wordprocessing applications, spreadsheet applications, databaseapplications, gaming applications, business applications, draftingapplications, portable document format applications, Internetapplications, web-based applications, email applications, and so forth.

Each of the applications 120 may execute a main routine 122 which mayincorporate a sequence of execution instructions 124 operative on theone or more processing units 102 in its role as a main processorcomponent of the computing device 101 to implement logic to performvarious functions. The execution instructions 124 may be loaded intomemory 104 or one or more registers of the processing units 102 toexecute tasks and operations for a particular application. To detect aROP attack, target addresses of instructions may be verified to ensureROP malware does not take over control flow of the executioninstructions and main routine. To verify target addresses, valid targetaddresses of the main routine 122 including the execution instructions124 and libraries 112 may be determined during a translation operationor routine and stored in cache 130.

More specifically, the computing device 101 may include a translationcomponent 142 to perform a translation routine to translate portions ofone or both of the main routine 122 and the libraries 112 intotranslated portions which may be stored in a translation cache 132 forexecution. It is during translation that target addresses of variablesand instructions are generally derived. Thus, for direct branchinstructions, i.e. instructions specifying targets with offsets, thetarget addresses of their targets are calculated during translation, andthose target addresses are directly incorporated into those directbranch instructions as portions of routines are placed in thetranslation cache 132.

For at least some indirect branch instructions that incorporate anidentifier of their intended targets, the translation component 142attempts to determine their target addresses by using those identifiersto refer to one or more tables, such as an entry point table to retrievetarget addresses therefrom that are known to be valid.

In some embodiments, the translation component 142 may use identifiersincorporated into indirect branch instructions to retrieve indicationsof target addresses known to be valid from one or more alternate oradditional tables such as the whitelist data 114. For example, one ormore sizable libraries, such as libraries 112, may be included with anoperating system that may normally be stored at predictable addresseslocations in storages across a variety of computing devices. Due to thereliance of what may be a great many other routines on the functionroutines of those libraries, those who create those libraries are likelyto make changes to those libraries only very infrequently for fear ofcausing unforeseen and undesirable effects on the other routines thatuse them. Thus, the content of such libraries tends to change onlyinfrequently over time such that it becomes feasible to construct aviable whitelist, such as white list data 114, of valid target of thefunction routines and execution instructions 124 to which a branchinstruction may validly jump.

Further and in some embodiments, the translation component 142 canderive valid target addresses once the addresses of libraries, such aslibraries 112 are known. More specifically, the white list data 114 maybe populated and/or filled with indications of valid target addresses asthe address locations the libraries 112 are determined. It should alsobe noted that tables, white list data 114, and so forth may beimplemented as any of a variety of types of data structure in whichindications of valid target addresses may be stored in any of a varietyof formats.

In various embodiments, the translation component 142 may store thevalid target addresses for the direct and indirect branch instructionsin cache 130, and in particular, a lookup table 134. The lookup table134 may be any type of lookup table including a fast lookup table whichmay be used during execution of an application 120 to validate targetaddresses for instructions. For example, during execution the targetaddress of an instruction, such as a return (RET) instruction, may beverified by a validation component 146 by a comparison made between thetarget address of the instruction and a valid known target addressstored in lookup table 134. In some embodiments, the valid RET targetaddress may be dynamically populated in the lookup table 134 when a call(CALL) instruction is executed. The CALL instruction may indicate thenext target address after the CALL instruction is the valid targetaddress following the RET instruction.

In some embodiments, the computing device 101 may include a validationcomponent 146 which may be used to verify target addresses for bothdirect and indirect branch instructions, such as call (CALL)instructions, jump (JMP) instruction, and RET instructions. When thereis a match between a target address of an executing instruction and avalid target address in lookup table 134, the instruction may be allowedto be executed. However, if the target address cannot be verified by thevalidation component 146 further evaluation may be required to determineif an ROP attack is being attempted or not. In some embodiments, atarget address may not be validated by the validation component 146however it may be a valid target address. For example, a target addressfor an instruction may have changed during the time between thetranslation and execution of a main routine 122 and executioninstructions 124 for an application 120. Thus various embodiments may bedirected to determining and managing these false positive cases.

One of the hallmarks of an ROP attack is that a number of redirectinginstructions may be used to take over control flow. These redirectinginstruction may occur in a row, or in some cases, valid instructions maybe permitted to be executed in between redirecting instructions duringan attack to try to prevent detection of the attack. Thus, someembodiments may be directed to using a two counter approach to filterout false positives from actual ROP attacks.

As illustrated in FIG. 1, computing device 101 may include an invalidtarget address counter 116 and an execution instruction counter 118which may be used to filter out false positive ROP attacks. Moreover,the invalid target address counter 116 may be any type of counter andmay be incremented or decremented until an invalid target addressthreshold is reach or surpassed as determined by a comparison component144. For example, the invalid target address counter 116 may be set atzero and may be incremented by one until the invalid target addressthreshold is reached and determined by the comparison component 144.Alternatively and in another example, the invalid target address counter116 may be set and decremented by one until zero is reached or any otherthreshold value. Further, the invalid target address threshold may bevalue set or determined based on a particular application 120 executingon or by computing device 101. More specifically and in someembodiments, the invalid target address threshold may be different foreach application 120 for execution on the computing device 101.Applications 120 determined to be more at risk of being attacked by anROP attack may set the invalid target address threshold less than otherapplications 120 less likely to be attacked, for example. Other factorsmay also contributed to determining the invalid target address thresholdincluding the ease of attacking the application, a user configuration,previous attempts of attacking the application, and so forth. Variousembodiments are not limited in this manner.

The execution instruction counter 118 may keep track of the number ofexecution instructions that validly occurred while execution tracking isenabled or an application is being monitored for a possible ROP attack.In some embodiments, the execution instruction counter 118 may keeptrack of a number of execution of basic blocks as a coarse grainapproach. The execution instruction counter 118 may be any type ofcounter and may be incremented or decremented until an executioninstruction threshold is reach or surpassed as determined the comparisoncomponent 144. In some embodiments, the execution instruction counter118 may be set to the execution instruction threshold and may bedecremented by one until zero is reached. Various embodiments are notlimited in this manner. As similarly discussed above, the executioninstruction threshold may be a value determined or based on a number offactors for each application 120 including, but not limited to,application attack risk, user configuration, previous attack attemptsand so forth. In some embodiments, one or both of the invalid targetaddress threshold and the execution instruction threshold may be set byanother application such as an anti-virus application.

The invalid target address counter 116 and the execution instructioncounter 118, in combination, may be used to detect ROP attacks whilefiltering out possible false positive detections. For example, asecurity measure to thwart an ROP attack may only be initiated on thecomputing device 101 by a security component 148 if the invalid targetaddress threshold is reached prior to the execution instructionthreshold being reached. Alternatively, if the execution instructionthreshold is reached prior to a security measure being initiated and theinvalid target address threshold being reached, one or both counters maybe reset to zero and execution tracking may be disabled. These and otherdetails will become more apparent with the following description.

In some embodiments, the validation component 146 may enable executiontracking when the first invalid target address is determined for anapplication 120. During execution tracking various functions androutines may be disabled, such as optimizations may be disabled, fastlookup tables may be disabled, translation blocks may be unlinked and soforth to protect computing device 101 from a possible ROP attack.Further, execution tracking may be disabled such that an accurate numberof valid execution instructions is kept track of. Execution tracking maybe enabled when a suspected ROP attack is occurring and may be disabledonce a determination is made that the detection was a false positive.More specifically, the execution tracking may be disabled when theexecution instruction counter reaches or surpasses the executioninstruction threshold and execution tracking may be re-enabled.

FIGS. 2-7 illustrate embodiments of information flow diagrams andillustrates examples of various events that may occur on a computingdevice while executing an application and performing translations. Forexample, FIG. 2 illustrates information flow 200 during a translationroutine, FIG. 3 illustrates information flow 300 during a successfulvalidation of an execution instruction, FIG. 4 illustrates informationflow 400 during a detection of invalid target address prior to reachingan invalid target address threshold, FIG. 5 illustrates information flow500 during a detection of an invalid target address and performing asecurity measure, FIG. 6 illustrates information flow 600 during a validtarget address detection while execution tracking is enabled, and FIG. 7illustrates information flow 700 during a valid target address detectionand the execution instruction threshold being reached or surpassed.Various embodiments are not limited to these particular flow diagramsand other flows and may be contemplated.

In some embodiments, information flow diagram 200 may process a mainroutine 122 and execution instructions 124 of an application 120 bytranslator component 142. As previously discussed, the translatorcomponent 142 may translate execution instructions 124 to determinevalid target addresses. At line 202, the translator component 142 mayread or receive execution instructions 124 for an application 120 to betranslated prior to the application 120 actually being executed orduring the execution of the application 120. In some embodiments, thetranslation of some execution instructions 124 may occur while other,already translated execution instructions, are executing. In anotherwords, an entire application 120 does not need to be translated prior tothe beginning of execution of the application 120 on a computing device.

At line 204, the translator component 142 may determine valid targetaddresses for execution instructions 124 from one or more libraries 112stored on a computing device including with an operating system, forexample. As previously mentioned, an operating system may includelibraries that change infrequently over time, and therefore, targetaddresses for instructions of these libraries 112 may be easilydetermined. Further and at line 206, the translator component 142 mayalso determine target addresses for execution instructions 124 based oninformation stored in a white list data 114.

At line 208, the translator component 142 may communicate translatedexecution instructions to cache 130, and in particular, translationcache 132. The translated execution instructions may be stored in thetranslation cache 132 as execution instructions 224. The translatedexecution instructions 224 may be used for execution of the application120 instead of execution instructions 124. Further, the translatorcomponent 142 may send determined valid target addresses 226 for storagein lookup table 134 at line 210. The valid target addresses 226 may beused by the validation component 146 to validate target addresses duringthe actual execution of the application 120 and determine whether an ROPattack is occurring.

In various embodiments, the translator component 142 may perform atranslation routine prior to execution of an application 120 ordynamically during execution of an application 120. Further, thetranslator component 142 may determine valid target addresses forindirect branch instructions from the executable files stored in storageor the execution instructions that are loaded into a memory, such asmemory 104, during runtime of an application 120. Various embodimentsare not limited in this manner.

In some embodiments, the translated execution instructions 224 mayinclude relative offsets for direct branch instructions within thetranslation cache 132 and stubs for indirect branch instructions thatcause the flow of execution to be directed back to a translatorcomponent 144 or directly to the lookup table 134 to check whethertarget addresses stored in the lookup table 134 are valid. Presumingthat there has not been a stack overflow or other malicious actionduring execution of a translated portion of whatever routine was placedin the translation cache 367 up to that stub instruction, there shouldbe a match for the target address of the target to which the indirectbranch instruction would direct the flow of execution. Upon determiningthat there is a match, the translation routine 340 permits that indirectbranch instruction to be executed. Different types of stub instructionare substituted for different types of indirect branch instruction.Thus, a different type of stub instruction may be associated with eachof indirect jump instructions, call instructions and returninstructions. In some instances, a target validating instruction may beplaced in the translated execution instructions 224 instead of using thestub instruction.

FIG. 3 illustrates an embodiment of an information flow diagram 300 toprocess and execute an application 120 and translated executioninstructions 224. More specifically, information flow diagram 300illustrates an application 120 and executions instructions 224 executingon a computing device. In FIG. 3, the translator component 142 maycontrol and manage the execution of the translated executionsinstructions 224. For example, the translator component 142 control theflow of the translated execution instructions 224 including executingdirect branch instructions and indirect branch instructions once theyare verified based on valid target addresses.

At line 302, the validation component 146 may receive an intended targetaddress for a translated execution instruction 224, and in particular,an indirect branch instruction. The intended target must be validated bythe validation component 146 before the instruction is executed on thecomputing device. The validation component 146 may read and retrieve avalid target address 226 from the lookup table 134 at line 304. Thevalidation component 146 may do a comparison to ensure that the intendedtarget address matches the valid target address for the executioninstruction that is be executed. In this illustrated example in FIG. 3,the validation component 146 determines that the intended target addressis valid based on the comparison.

At line 306, the validation component 146 may communicate information tothe translator component 142 indicated that the translated executioninstruction 224 has been validated and may be executed on the computingdevice. The translator component 142 may proceed with executing theexecution instruction. Information flow diagram 300 may be repeated anynumber of times and each time a target address for a translatedexecution instruction 224 needs to be validated.

FIG. 4 illustrates an embodiment of an information flow diagram 400 toprocess and execute an application 120 and translated executioninstructions 224. More specifically, information flow diagram 400illustrates an application 120 and translated execution instructions 224including direct and indirect branch instructions executing on acomputing device. In FIG. 4, the translator component 142 may controland manage the execution of the translated executions instructions 224.In this embodiment, an intended target address for an executioninstruction 224 is not validated by the validation component 146.

At line 402, the validation component 146 may receive an intended targetaddress for a translated execution instruction 224, and in particular,an indirect branch instruction. The intended target address may bevalidated by the validation component 146 before the instruction isexecuted on the computing device. The validation component 146 may readand retrieve a valid target address 226 from the lookup table 134 atline 404. The validation component 146 may do a comparison to ensurethat the intended target address matches the valid target address forthe translated execution instruction 224 that is be executed. Asmentioned, in this example, the intended target address for theinstruction cannot be validated by the validation component 146 becausethe intended target address does not match the valid target address inthe lookup table 134.

The validation component 146 may communicate information to the invalidtarget address counter 116 indicate that an invalid target address hasbeen detected and to increment (or decrement) by one. Further, thevalidation component 146 may communicate similar information to thetranslator component 142 which may enable execution tracking if it isnot enabled at line 408. The validation component 146 may communicatethe information to the invalid target address counter 116 and thetranslator component 142 concurrently in some embodiments and variousembodiments are not limited in this manner.

Further and at line 410, the comparison component 144 may determinewhether the invalid target address counter 116 reaches (or exceeds) aninvalid target address threshold. As previously mentioned, the invalidtarget address threshold may be based on one or more factors, such asapplication attack risk, user configuration, and previous attackattempts. In some embodiments, when the invalid target address counter116 reaches (or exceeds) the invalid target threshold one or moresecurity measures may be initiated. However, in this example, thecomparison component 144 determines that the invalid target addresscounter 116 has not reached (or exceeded) the invalid target addressthreshold and the execution instruction is permitted to be executed.More specifically and at line 412, the translator component 142 executesthe translated execution instruction 224 with the invalid targetaddress.

FIG. 5 illustrates an embodiment of an information flow diagram 500 toprocess and execute an application 120 and translated executioninstructions 224. More specifically, information flow diagram 500illustrates an application 120 and translated execution instructions 224including direct and indirect branch instructions executing on acomputing device. In FIG. 5, the translator component 142 may controland manage the execution of the translated executions instructions 224.In this embodiment, an intended target address for an executioninstruction 224 is not validated by the validation component 146, assimilarly discussed above with respect to FIG. 4.

For example and a line 502, the validation component 146 may receive orretrieve an intended target address for an indirect branch instruction.Further, at line 504 the validation component 146 may compare theintended target address with the valid target address 226 in lookuptable 134. The validation component 146 may determine that the intendedtarget address is invalid and send information to the invalid targetaddress counter 116 at line 506, and in some embodiments the translatorcomponent 142 and comparison component 144. Further, execution trackingmay be enabled if it is disabled when the validation component 146invalidates the intended target address.

At line 508, the comparison component 144 may make a comparison todetermine whether the invalid target address counter 116 has reached (orexceeded) the invalid target address threshold. In this example, theinvalid target address counter 116 has reached (or exceeded) the targetaddress threshold indicating that a possible ROP attack may beoccurring. At line 510, the security component 148 may initiate one ormore security measures to protect the computing device from the ROPattack. For example, the security component 148 may kill the executionof the application 120 that is suspected for the ROP attack. In anotherexample, the security component 148 may try and quarantine the executioninstructions that are being taken over by the ROP attack. In a thirdexample, the security component 148 may notify another piece ofsoftware, such as an anti-virus software application, so that it mayhandle the ROP attack. Various embodiments are not limited in thismanner and other security measures may be initiated.

FIG. 6 illustrates an embodiment of an information flow diagram 600 toprocess and execute an application 120 and translated executioninstructions 224 when execution tracking is enabled. As previouslymentioned, execution tracking may be enabled when an invalid targetaddress is detected. The execution tracking may remain enabled until asecurity measure is initiated due to a possible ROP attack or apredetermined number of valid execution instructions occur after thefirst invalid target address is found. In this illustrated embodiment ofFIG. 6 the execution tracking is enabled, a target address is verified,but the execution instruction counter is not greater than an executioninstruction threshold.

As similarly discussed above with respect to FIGS. 3 through 5, thevalidation component 146 may receive an intended target address for anindirect branch instruction at line 602. Further, the validationcomponent 146 may validate the intended target address by comparing itwith a valid target address 226 in the lookup table 134 at line 604. Asmentioned, in this example the intended target address is valid. At line606, the validation component 146 may increment (or decrement) theexecution instruction counter 118 since execution tracking is enabled.

At line 608, the comparison component 144 may compare the executioninstruction counter 118 with an execution instruction threshold whichmay be predetermined or based on one or more factors, such as an ROPattack risk, user configuration, or previously ROP attack attempts. Forexample, the execution instruction threshold may be adjusted based on anumber of “valid” target addresses between invalid target addresses thatwere detected during previous ROP attacks. In other words, thecomponents may “learn” from previous ROP attacks an appropriate numberof valid target addresses between invalid target addresses that indicatewhether an attack is occurring or if a false positive has been detected.In this example, the execution instruction counter 118 is not greaterthan the execution instruction threshold. At line 610, the currentexecution instruction may be processed or executed, execution trackingmay remain enabled.

FIG. 7 illustrates an embodiment of an information flow diagram 700 toprocess and execute an application 120 and translated executioninstructions 224 when execution tracking is enabled. As previouslymentioned, execution tracking may be enabled when an invalid targetaddress is detected. The execution tracking may remain enabled until asecurity measure is initiated due to a possible ROP attack or apredetermined number of valid execution instructions occur after thefirst invalid target address is found. In this illustrated embodiment ofFIG. 7 the execution tracking is enabled, a target address is verified,and the execution instruction counter is greater than the executioninstruction threshold.

In FIG. 7, lines 702 through 706 are the same as lines 602 through 606of FIG. 6. However, at line 708 the comparison component 144 determinesthat the execution instruction counter 118 is greater than the executioninstruction threshold. Thus, the execution tracking may be disabled anda false positive was likely detected. Further and at line 710, thetranslator component 142 may reset one or both of the invalid targetaddress counter 116 and the execution instruction counter 118. Thecounters may be reset to zero or any other starting value.

FIGS. 2 through 7 illustrate certain communication occurring in acertain order. However, various embodiments are not limited in thismanner and one or more communications may occur in parallel orconcurrently. In addition, FIGS. 2 through 7 only show a limited numberof communications occurring between the various components of acomputing device. Various embodiments may not be limited in this manneras well. Other information may be communicated between the components ofthe computing device such that ROP attacks and false positives may bedetected and readily handle without causing harm to the device.

FIG. 8 illustrates an embodiment of a logic flow 800 for processingexecution instructions including direct branch instruction and indirectbranch instructions. In various embodiments, logic flow 800 may beimplemented and executed on any computing system or computing device,such as computing device 101 as illustrated in FIG. 1. Further, logicflow 800 shows a number of logic steps or blocks occurring in certainorder or sequence. Various embodiments are not limited in this mannerand certain blocks may occur before and/or after other blocks, as onecontemplated in the art will understand.

At block 802, an execution instruction may analyzed during execution ofan application and a determination may be made as to whether theexecution instruction is a return (RET) instruction or another type ofinstruction, such as an indirect branch instruction or a direct branchinstruction at block 804. Further and as previously mentioned, executioninstructions may be translated prior execution of an application ordynamically when an application is being executed. During translation,execution instructions may be analyzed and if they are direct branchinstructions that may be copied and stored in the cache with offsets.However, if the execution instructions are indirect branch instructions,a stub instruction may be placed in the cache in place of the executioninstruction and a return target address may be predicted and stored in alookup table.

If the execution instruction is a RET instruction, a comparison may bemade to determine whether the intended target address of the RETinstruction matches the predicted target address at block 806. Morespecifically, the predicted target address for the RET instruction maybe read or retrieved from a lookup table and compared to the intendedtarget address for the RET instruction being executed. As mentioned,during an ROP attack a different target address may be substituted for aRET instruction to redirect the execution of the application to adifferent portion of memory or instructions such that malicious code maybe executed.

At decision block 808, a determination may be made as to whether thepredicted target address matches the intended target address for the RETinstruction. If they do match, a determination as to whether executiontracking is enabled may be made at decision block 818 and theinstruction may be executed at block 828. However, if the predictedtarget address does not match the intended target address an invalidtarget address counter may be increment (or decremented) at block 810.Further, execution tracking may be enabled at block 812 if it is notalready enabled.

In some embodiments, as determined at decision block 814 if the invalidtarget address counter is greater than an invalid target addressthreshold one or more security measures may be initiated at block 816.For example, execution of the application may be suspended or halted,execution instructions with the invalid target addresses may bequarantined, and/or an anti-virus program may be notified to handle theROP attack. Alternatively, if the invalid target address counter is notgreater than the invalid target address threshold, the executioninstruction may be executed at block 828. Although decision block 814indicates the counter must be greater than the threshold, variousembodiments are not limited in this manner. The counter and thresholdmay be configured in any number of ways. For example, the securitymeasure may be initiated when the invalid target address counter equalsthe invalid target address threshold.

In some embodiments, a determination may be made as to whether executiontracking is enabled at block 818. For example, if the execution is not aRET instruction, or if the predicted target address matches the intendedtarget address, block 818 may occur. Execution tracking may be used tofilter out false positive detections and be enabled if a previousexecution instruction had an invalid target address. As mentioned, oneof the hallmarks of an ROP attack is back-to-back execution instructionswith invalid target addresses or in some instances a predictable numberof a valid execution instruction in between invalid target instructions.Thus, execution tracking may be enabled until a number of validexecution instructions is greater than an execution instructionthreshold.

More specifically and if execution tracking is enabled at block 818, anexecution instruction counter may be incremented (or decremented) atblock 820. Further, a determination may be made at decision block 822 asto whether the execution instruction counter is greater than anexecution instruction threshold. The execution instruction threshold maybe predetermined, or determined based on a number of factors includingpreviously ROP attacks, user configuration, anti-virus softwareconfiguration, security configuration, and so forth. Further, decisionblock 822 indicates the counter must be greater than the threshold,various embodiments are not limited in this manner. The counter andthreshold may be configured in any number of ways.

At block 826, one or both of the execution instruction counter and theinvalid target address counter may be reset to initial values, such aszero, one or any other initial value. In addition, execution trackingmay be disabled and, at block 828, the current execution instruction maybe executed. If at decision block 822, the execution instruction counteris not greater than the execution instruction threshold, translationblocks may be unlinked at block 824, and the execution instruction maybe executed at block 828. The translation blocks may be unlinked suchthat a translator component can get control of execution flow on everytranslation block. The translator component may track the number ofinstructions of basic blocks executed for use in updating an executioninstruction counter.

FIG. 9 illustrates an embodiment of a logic flow 900. The logic flow maybe representative of some or all of the operations executed by one ormore embodiments described herein. For example, the logic flow 900 mayillustrate operations performed by the systems and logic flows of FIGS.1-8.

In the illustrated embodiment shown in FIG. 9, the logic flow 900 mayinclude determining whether a target address of a register for anexecution instruction is valid or invalid based on a comparison betweenthe target address and one or more valid target addresses stored in astorage at block 905. As previously mentioned, one or more valid targetaddress for execution instructions, such as indirect branchinstructions, may be determined during a translation routine or processand stored in memory or storage, such as in a fast lookup table. Duringexecution of the execution instruction, an intended target address forthe instruction may be determined and compared with the stored validtarget address.

At block 910, the logic flow 900 may include increasing a number ofinvalid target addresses if the target address is invalid. For example,a counter, such as an invalid target address counter, may be incremented(or decremented) when the comparison determines that the intended targetaddress is invalid. Further, the logic flow 900 may include determiningwhether the number of invalid target addresses is greater than aninvalid target address threshold at block 915. More specifically, acomparison may be made to determine whether the counter is greater thanor equal to a threshold value. In some embodiments when the counter iscounter down to a threshold value, the comparison may determine whetherthe number is less than the threshold value. Various embodiments are notlimited in this manner.

The logic flow 900 may also include initiating a security measure toprevent a security breach if the number of invalid target addresses isgreater than the invalid target address threshold at block 920. Aspreviously discussed, a number of security measures, such as halted theexecution of an application, performing an anti-virus scan, andquarantining the suspected execution instruction, may be initiated if anattack is suspected. However, in some embodiments the logic flow 900includes execute the execution instruction if the number of invalidtarget addresses is less than or equal to the invalid target addressthreshold at block 925. As previously mentioned a predetermined ordefined number of invalid target addresses are permitted before asecurity measure is initiated to filter out false positive detections.Various embodiments are not limited in this manner.

FIG. 10 illustrates one embodiment of a system 1000. In variousembodiments, system 1000 may be representative of a system orarchitecture suitable for use with one or more embodiments describedherein, such as system 100 of FIG. 1. The embodiments are not limited inthis respect.

As shown in FIG. 10, system 1000 may include multiple elements. One ormore elements may be implemented using one or more circuits, components,registers, processors, software subroutines, modules, or any combinationthereof, as desired for a given set of design or performanceconstraints. Although FIG. 10 shows a limited number of elements in acertain topology by way of example, it can be appreciated that more orless elements in any suitable topology may be used in system 1000 asdesired for a given implementation. The embodiments are not limited inthis context.

In various embodiments, system 1000 may include a computing device 1005which may be any type of computer or processing device including apersonal computer, desktop computer, tablet computer, netbook computer,notebook computer, laptop computer, server, server farm, blade server,or any other type of server, and so forth.

Other examples of computing device 1005 also may include computers thatare arranged to be worn by a person, such as a wrist computer, fingercomputer, ring computer, eyeglass computer, belt-clip computer, arm-bandcomputer, shoe computers, clothing computers, and other wearablecomputers. In embodiments, for example, a computing device 1005 may beimplemented as a smart phone capable of executing computer applications,as well as voice communications and/or data communications. Althoughsome embodiments may be described with a computing device 1005implemented as a smart phone by way of example, it may be appreciatedthat other embodiments may be implemented using other wireless computingdevices as well. The embodiments are not limited in this context.

In various embodiments, computing device 1005 may include processorcircuit 1002. Processor circuit 1002 may be implemented using anyprocessor or logic device. The processing circuit 1002 may be one ormore of any type of computational element, such as but not limited to, amicroprocessor, a processor, central processing unit, digital signalprocessing unit, dual core processor, mobile device processor, desktopprocessor, single core processor, a system-on-chip (SoC) device, complexinstruction set computing (CISC) microprocessor, a reduced instructionset (RISC) microprocessor, a very long instruction word (VLIW)microprocessor, or any other type of processor or processing circuit ona single chip or integrated circuit. The processing circuit 1002 may beconnected to and communicate with the other elements of the computingsystem via an interconnect 1043, such as one or more buses, controllines, and data lines.

In one embodiment, computing device 1005 may include a memory unit 1004to couple to processor circuit 1002. Memory unit 1004 may be coupled toprocessor circuit 1002 via communications bus 1043, or by a dedicatedcommunications bus between processor circuit 1002 and memory unit 1004,as desired for a given implementation. Memory unit 04 may be implementedusing any machine-readable or computer-readable media capable of storingdata, including both volatile and non-volatile memory. In someembodiments, the machine-readable or computer-readable medium mayinclude a non-transitory medium. The embodiments are not limited in thiscontext.

Computing device 1005 may include a graphics processing unit (GPU) 1006,in various embodiments. The GPU 1006 may include any processing unit,logic or circuitry optimized to perform graphics-related operations aswell as the video decoder engines and the frame correlation engines. TheGPU 1006 may be used to render 2-dimensional (2-D) and/or 3-dimensional(3-D) images for various applications such as video games, graphics,computer-aided design (CAD), simulation and visualization tools,imaging, etc. Various embodiments are not limited in this manner; GPU1006 may process any type of graphics data such as pictures, videos,programs, animation, 3D, 2D, objects images and so forth.

In some embodiments, computing device 1005 may include a displaycontroller 1008. Display controller 1008 may be any type of processor,controller, circuit, logic, and so forth for processing graphicsinformation and displaying the graphics information. The displaycontroller 1008 may receive or retrieve graphics information from one ormore buffers, such as buffer(s) 220. After processing the information,the display controller 1008 may send the graphics information to adisplay.

In various embodiments, system 1000 may include a transceiver 1044.Transceiver 1044 may include one or more radios capable of transmittingand receiving signals using various suitable wireless communicationstechniques. Such techniques may involve communications across one ormore wireless networks. Exemplary wireless networks include (but are notlimited to) wireless local area networks (WLANs), wireless personal areanetworks (WPANs), wireless metropolitan area network (WMANs), cellularnetworks, and satellite networks. In communicating across such networks,transceiver 1044 may operate in accordance with one or more applicablestandards in any version. The embodiments are not limited in thiscontext.

In various embodiments, computing device 1005 may include a display1045. Display 1045 may constitute any display device capable ofdisplaying information received from processor circuit 1002, graphicsprocessing unit 1006 and display controller 1008.

In various embodiments, computing device 1005 may include storage 1046.Storage 1046 may be implemented as a non-volatile storage device suchas, but not limited to, a magnetic disk drive, optical disk drive, tapedrive, an internal storage device, an attached storage device, flashmemory, battery backed-up SDRAM (synchronous DRAM), and/or a networkaccessible storage device. In embodiments, storage 1046 may includetechnology to increase the storage performance enhanced protection forvaluable digital media when multiple hard drives are included, forexample. Further examples of storage 1046 may include a hard disk,floppy disk, Compact Disk Read Only Memory (CD-ROM), Compact DiskRecordable (CD-R), Compact Disk Rewriteable (CD-RW), optical disk,magnetic media, magneto-optical media, removable memory cards or disks,various types of DVD devices, a tape device, a cassette device, or thelike. The embodiments are not limited in this context.

In various embodiments, computing device 1005 may include one or moreI/O adapters 1047. Examples of I/O adapters 1047 may include UniversalSerial Bus (USB) ports/adapters, IEEE 1394 Firewire ports/adapters, andso forth. The embodiments are not limited in this context.

FIG. 11 illustrates an embodiment of an exemplary computing architecture1100 suitable for implementing various embodiments as previouslydescribed. In one embodiment, the computing architecture 1100 mayinclude or be implemented as part of systems 100.

As used in this application, the terms “system” and “component” areintended to refer to a computer-related entity, either hardware, acombination of hardware and software, software, or software inexecution, examples of which are provided by the exemplary computingarchitecture 1100. For example, a component can be, but is not limitedto being, a process running on a processor, a processor, a hard diskdrive, multiple storage drives (of optical and/or magnetic storagemedium), an object, an executable, a thread of execution, a program,and/or a computer. By way of illustration, both an application runningon a server and the server can be a component. One or more componentscan reside within a process and/or thread of execution, and a componentcan be localized on one computer and/or distributed between two or morecomputers. Further, components may be communicatively coupled to eachother by various types of communications media to coordinate operations.The coordination may involve the uni-directional or bi-directionalexchange of information. For instance, the components may communicateinformation in the form of signals communicated over the communicationsmedia. The information can be implemented as signals allocated tovarious signal lines. In such allocations, each message is a signal.Further embodiments, however, may alternatively employ data messages.Such data messages may be sent across various connections. Exemplaryconnections include parallel interfaces, serial interfaces, and businterfaces.

The computing architecture 1100 includes various common computingelements, such as one or more processors, multi-core processors,co-processors, memory units, chipsets, controllers, peripherals,interfaces, oscillators, timing devices, video cards, audio cards,multimedia input/output (I/O) components, power supplies, and so forth.The embodiments, however, are not limited to implementation by thecomputing architecture 1100.

As shown in FIG. 11, the computing architecture 1100 includes aprocessing unit 1104, a system memory 1106 and a system bus 1108. Theprocessing unit 1104 can be any of various commercially availableprocessors.

The system bus 1108 provides an interface for system componentsincluding, but not limited to, the system memory 1106 to the processingunit 1104. The system bus 1108 can be any of several types of busstructure that may further interconnect to a memory bus (with or withouta memory controller), a peripheral bus, and a local bus using any of avariety of commercially available bus architectures. Interface adaptersmay connect to the system bus 1108 via slot architecture. Example slotarchitectures may include without limitation Accelerated Graphics Port(AGP), Card Bus, (Extended) Industry Standard Architecture ((E)ISA),Micro Channel Architecture (MCA), NuBus, Peripheral ComponentInterconnect (Extended) (PCI(X)), PCI Express, Personal Computer MemoryCard International Association (PCMCIA), and the like.

The computing architecture 1100 may include or implement variousarticles of manufacture. An article of manufacture may include acomputer-readable storage medium to store logic. Examples of acomputer-readable storage medium may include any tangible media capableof storing electronic data, including volatile memory or non-volatilememory, removable or non-removable memory, erasable or non-erasablememory, writeable or re-writeable memory, and so forth. Examples oflogic may include executable computer program instructions implementedusing any suitable type of code, such as source code, compiled code,interpreted code, executable code, static code, dynamic code,object-oriented code, visual code, and the like. Embodiments may also beat least partly implemented as instructions contained in or on anon-transitory computer-readable medium, which may be read and executedby one or more processors to enable performance of the operationsdescribed herein.

The system memory 1106 may include various types of computer-readablestorage media in the form of one or more higher speed memory units, suchas read-only memory (ROM), random-access memory (RAM), dynamic RAM(DRAM), Double-Data-Rate DRAM (DDRAM), synchronous DRAM (SDRAM), staticRAM (SRAM), programmable ROM (PROM), erasable programmable ROM (EPROM),electrically erasable programmable ROM (EEPROM), flash memory, polymermemory such as ferroelectric polymer memory, ovonic memory, phase changeor ferroelectric memory, silicon-oxide-nitride-oxide-silicon (SONOS)memory, magnetic or optical cards, an array of devices such as RedundantArray of Independent Disks (RAID) drives, solid state memory devices(e.g., USB memory, solid state drives (SSD) and any other type ofstorage media suitable for storing information. In the illustratedembodiment shown in FIG. 11, the system memory 1106 can includenon-volatile memory 1110 and/or volatile memory 1112. A basicinput/output system (BIOS) can be stored in the non-volatile memory1110.

The computer 1102 may include various types of computer-readable storagemedia in the form of one or more lower speed memory units, including aninternal (or external) hard disk drive (HDD) 1114, a magnetic floppydisk drive (FDD) 1116 to read from or write to a removable magnetic disk1118, and an optical disk drive 1120 to read from or write to aremovable optical disk 1122 (e.g., a CD-ROM or DVD). The HDD 1114, FDD1116 and optical disk drive 1120 can be connected to the system bus 1108by a HDD interface 1124, an FDD interface 1126 and an optical driveinterface 1128, respectively. The HDD interface 1124 for external driveimplementations can include at least one or both of Universal Serial Bus(USB) and IEEE 1394 interface technologies.

The drives and associated computer-readable media provide volatileand/or nonvolatile storage of data, data structures, computer-executableinstructions, and so forth. For example, a number of program modules canbe stored in the drives and memory units 1110, 1112, including anoperating system 1130, one or more application programs 1132, otherprogram modules 1134, and program data 1136. In one embodiment, the oneor more application programs 1132, other program modules 1134, andprogram data 1136 can include, for example, the various applicationsand/or components of the system 100.

A user can enter commands and information into the computer 1102 throughone or more wire/wireless input devices, for example, a keyboard 1138and a pointing device, such as a mouse 1140. Other input devices mayinclude microphones, infra-red (IR) remote controls, radio-frequency(RF) remote controls, game pads, stylus pens, card readers, dongles,finger print readers, gloves, graphics tablets, joysticks, keyboards,retina readers, touch screens (e.g., capacitive, resistive, etc.),trackballs, track pads, sensors, styluses, and the like. These and otherinput devices are often connected to the processing unit 1104 through aninput device interface 1142 that is coupled to the system bus 1108, butcan be connected by other interfaces such as a parallel port, IEEE 1394serial port, a game port, a USB port, an IR interface, and so forth.

A monitor 1144 or other type of display device is also connected to thesystem bus 1108 via an interface, such as a video adaptor 1146. Themonitor 1144 may be internal or external to the computer 1102. Inaddition to the monitor 1144, a computer typically includes otherperipheral output devices, such as speakers, printers, and so forth.

The computer 1102 may operate in a networked environment using logicalconnections via wire and/or wireless communications to one or moreremote computers, such as a remote computer 1148. The remote computer1148 can be a workstation, a server computer, a router, a personalcomputer, portable computer, microprocessor-based entertainmentappliance, a peer device or other common network node, and typicallyincludes many or all of the elements described relative to the computer1102, although, for purposes of brevity, only a memory/storage device1150 is illustrated. The logical connections depicted includewire/wireless connectivity to a local area network (LAN) 1152 and/orlarger networks, for example, a wide area network (WAN) 1154. Such LANand WAN networking environments are commonplace in offices andcompanies, and facilitate enterprise-wide computer networks, such asintranets, all of which may connect to a global communications network,for example, the Internet.

When used in a LAN networking environment, the computer 1102 isconnected to the LAN 1152 through a wire and/or wireless communicationnetwork interface or adaptor 1156. The adaptor 1156 can facilitate wireand/or wireless communications to the LAN 1152, which may also include awireless access point disposed thereon for communicating with thewireless functionality of the adaptor 1156.

When used in a WAN networking environment, the computer 1102 can includea modem 1158, or is connected to a communications server on the WAN1154, or has other means for establishing communications over the WAN1154, such as by way of the Internet. The modem 1158, which can beinternal or external and a wire and/or wireless device, connects to thesystem bus 1108 via the input device interface 1142. In a networkedenvironment, program modules depicted relative to the computer 1102, orportions thereof, can be stored in the remote memory/storage device1150. It will be appreciated that the network connections shown areexemplary and other means of establishing a communications link betweenthe computers can be used.

The computer 1102 is operable to communicate with wire and wirelessdevices or entities using the IEEE 1102 family of standards, such aswireless devices operatively disposed in wireless communication (e.g.,IEEE 1102.11 over-the-air modulation techniques). This includes at leastWi-Fi (or Wireless Fidelity), WiMax, and Bluetooth™ wirelesstechnologies, among others. Thus, the communication can be a predefinedstructure as with a conventional network or simply an ad hoccommunication between at least two devices. Wi-Fi networks use radiotechnologies called IEEE 1102.11x (a, b, g, n, etc.) to provide secure,reliable, fast wireless connectivity. A Wi-Fi network can be used toconnect computers to each other, to the Internet, and to wire networks(which use IEEE 1102.3-related media and functions).

The various elements of the systems 100, 1500, 1100 as previouslydescribed with reference to FIGS. 1-16 may include various hardwareelements, software elements, or a combination of both. Examples ofhardware elements may include devices, logic devices, components,processors, microprocessors, circuits, processors, circuit elements(e.g., transistors, resistors, capacitors, inductors, and so forth),integrated circuits, application specific integrated circuits (ASIC),programmable logic devices (PLD), digital signal processors (DSP), fieldprogrammable gate array (FPGA), memory units, logic gates, registers,semiconductor device, chips, microchips, chip sets, and so forth.Examples of software elements may include software components, programs,applications, computer programs, application programs, system programs,software development programs, machine programs, operating systemsoftware, middleware, firmware, software modules, routines, subroutines,functions, methods, procedures, software interfaces, application programinterfaces (API), instruction sets, computing code, computer code, codesegments, computer code segments, words, values, symbols, or anycombination thereof. However, determining whether an embodiment isimplemented using hardware elements and/or software elements may vary inaccordance with any number of factors, such as desired computationalrate, power levels, heat tolerances, processing cycle budget, input datarates, output data rates, memory resources, data bus speeds and otherdesign or performance constraints, as desired for a givenimplementation.

The detailed disclosure now turns to providing examples that pertain tofurther embodiments. Examples one through twenty-five (1-25) providedbelow are intended to be exemplary and non-limiting.

In a first example, an article comprising a non-transitorycomputer-readable storage medium comprising a plurality of instructionsthat when executed enable processing circuitry to determine whether atarget address of a register for an execution instruction is valid orinvalid based on a comparison between the target address and one or morevalid target addresses stored in a storage, increase a number of invalidtarget addresses when the target address is invalid, determine whetherthe number of invalid target addresses is greater than an invalid targetaddress threshold, and initiate a security measure to prevent a securitybreach when the number of invalid target addresses is greater than theinvalid target address threshold.

In a second example and in furtherance of the first example, a pluralityof instructions that when executed enable a processing circuitry todetermine whether a number of valid execution instructions is greaterthan an execution instruction threshold, and reset a counter for thenumber of invalid target addresses and a counter for the number of validexecution instructions when the number of valid execution instructionsis greater than the execution instruction threshold.

In a third example and in furtherance of any of the previous examples, aplurality of instructions that when executed enable a processingcircuitry to enable an execution tracking routine when the targetaddress of the register is invalid, the execution tracking routine todisable one or more optimizations and fast lookup tables.

In a fourth example and in furtherance of any of the previous examples,a plurality of instructions that when executed enable a processingcircuitry to perform the execution instruction when the target addressis valid or if the number of invalid target addresses is less than orequal to the invalid target address threshold.

In a fifth example and in furtherance of any of the previous examples,wherein the execution instruction is part of a main routine of anapplication stored in the storage. In a sixth example and in furtheranceof any of the previous examples, a plurality of instructions that whenexecuted enable a processing circuitry to perform a translation routineon one or more routines to determine one or more valid target addressesand store the one or more valid target addresses in a lookup table.

In a seventh example and in furtherance of any of the previous examples,a plurality of instructions that when executed enable a processingcircuitry to determine at least one of the invalid target addressthreshold and the execution instruction threshold based on a securitysetting.

In an eighth example and in furtherance of any of the previous examples,a plurality of instructions that when executed enable a processingcircuitry the security measure comprising a plurality of instructionsthat when executed enable the processing circuitry to disable a mainroutine for the execution instruction and/or report a security breachattempt to a security component.

In a ninth example and in furtherance of any of the previous examples, amethod may include determining whether a target address of a registerfor an execution instruction is valid or invalid based on a comparisonbetween the target address and one or more valid target addresses storedin a storage, increase, a number of invalid target addresses when thetarget address is invalid, determining whether the number of invalidtarget addresses is greater than or equal to an invalid target addressthreshold and initiating a security measure to prevent a security breachwhen the number of invalid target addresses is greater than or equal tothe invalid threshold.

In a tenth example and in furtherance of any of the previous examples, amethod may include determining whether a number of valid executioninstructions is greater than an execution instruction threshold, andresetting a counter for the number of invalid target addresses and acounter for the number of valid execution instructions when the numberof valid execution instructions is greater than the executioninstruction threshold.

In an eleventh example and in furtherance of any of the previousexamples, a method may include enabling an execution tracking routinewhen the target address of the register is invalid, the executiontracking routine to disable one or more optimizations and one or morefast lookup tables.

In a twelfth example and in furtherance of any of the previous examples,a method may include performing the execution instruction when thetarget address is valid or if the number of invalid target addresses isless than or equal to the invalid target address threshold.

In a thirteenth example and in furtherance of any of the previousexamples, a method may include the execution instruction is part of amain routine of an application stored in the storage.

In a fourteenth example and in furtherance of any of the previousexamples, a method may include performing a translation routine on oneor more routines to determine one or more valid target addresses, andstoring the one or more valid target addresses in a lookup table.

In a fifteenth example and in furtherance of any of the previousexamples, a method may include determining at least one of an invalidtarget address threshold and an execution instruction threshold based ona security setting.

In a sixteenth example and in furtherance of any of the previousexamples, a method may include the security measure comprising disablinga main routine for the execution instruction and/or report a securitybreach attempt to a security component.

In a seventeenth example and in furtherance of any of the previousexamples, a system, a device or an apparatus may include memory,storage, processing circuitry comprising one or more registers, and avalidation component executable on the processing circuitry to determinewhether a target address of a register of the one or more registers foran execution instruction is valid or invalid based on a comparisonbetween the target address and one or more valid target addresses storedin the storage and decrease a number of invalid target addresses whenthe target address is invalid. The apparatus may include a comparisoncomponent executable on the processing circuitry to determine whether anumber of invalid target addresses is less than or equal to an invalidtarget address threshold and a security component executable on theprocessing circuitry to initiate a security measure to prevent asecurity breach when the number of invalid target addresses is equal toor less than the invalid threshold.

In an eighteenth example and in furtherance of any of the previousexamples, a system, a device or an apparatus may include the comparisoncomponent to determine whether a number of valid execution instructionsis greater than an execution instruction threshold, and the translatorcomponent to reset a counter for the number of invalid target addressesand a counter for the number of valid execution instructions when thenumber of valid execution instructions is greater than the executioninstruction threshold.

In a nineteenth example and in furtherance of any of the previousexamples, a system, a device or an apparatus may include the translatorcomponent to enable an execution tracking routine when the targetaddress of the register is invalid, the execution tracking routine todisable one or more optimizations and one or more fast lookup tables.

In a twentieth example and in furtherance of any of the previousexamples, a system, a device or an apparatus may include the translatorcomponent to perform the execution instruction when the target addressis valid or if the number of invalid target addresses is less than orequal to the invalid target address threshold.

In a twenty-first example and in furtherance of any of the previousexamples, a system, a device or an apparatus may include the executioninstruction is part of a main routine of an application stored in thestorage.

In a twenty-second example and in furtherance of any of the previousexamples, a system, a device or an apparatus may include the translatorcomponent to perform a translation routine on one or more routines todetermine one or more valid target addresses, and store the one or morevalid target addresses in a lookup table.

In a twenty-third example and in furtherance of any of the previousexamples, a system, a device or an apparatus may include the securitycomponent to determine at least one of an invalid target addressthreshold and an execution instruction threshold based on a securitysetting.

In a twenty-fourth example and in furtherance of any of the previousexamples, a system, a device or an apparatus may include the securitymeasure to disable a main routine for the execution instruction and/orreport a security breach attempt to a security agent.

In a twenty-fifth example and in furtherance of any of the previousexamples, a system, a device or an apparatus may include an input/output(I/O) adapter, a transceiver, and a display controller coupled with adisplay, and wherein the I/O adapter, the transceiver, the displaycontroller, the display, the memory, storage, and the processingcircuitry all coupled via a bus.

Some embodiments may be described using the expression “one embodiment”or “an embodiment” along with their derivatives. These terms mean that aparticular feature, structure, or characteristic described in connectionwith the embodiment is included in at least one embodiment. Theappearances of the phrase “in one embodiment” in various places in thespecification are not necessarily all referring to the same embodiment.Further, some embodiments may be described using the expression“coupled” and “connected” along with their derivatives. These terms arenot necessarily intended as synonyms for each other. For example, someembodiments may be described using the terms “connected” and/or“coupled” to indicate that two or more elements are in direct physicalor electrical contact with each other. The term “coupled,” however, mayalso mean that two or more elements are not in direct contact with eachother, but yet still co-operate or interact with each other.

It is emphasized that the Abstract of the Disclosure is provided toallow a reader to quickly ascertain the nature of the technicaldisclosure. It is submitted with the understanding that it will not beused to interpret or limit the scope or meaning of the claims. Inaddition, in the foregoing Detailed Description, it can be seen thatvarious features are grouped together in a single embodiment for thepurpose of streamlining the disclosure. This method of disclosure is notto be interpreted as reflecting an intention that the claimedembodiments require more features than are expressly recited in eachclaim. Rather, as the following claims reflect, inventive subject matterlies in less than all features of a single disclosed embodiment. Thusthe following claims are hereby incorporated into the DetailedDescription, with each claim standing on its own as a separateembodiment. In the appended claims, the terms “including” and “in which”are used as the plain-English equivalents of the respective terms“comprising” and “wherein,” respectively. Moreover, the terms “first,”“second,” “third,” and so forth, are used merely as labels, and are notintended to impose numerical requirements on their objects.

What has been described above includes examples of the disclosedarchitecture. It is, of course, not possible to describe everyconceivable combination of components and/or methodologies, but one ofordinary skill in the art may recognize that many further combinationsand permutations are possible. Accordingly, the novel architecture isintended to embrace all such alterations, modifications and variationsthat fall within the spirit and scope of the appended claims.

1.-25. (canceled)
 26. An apparatus, comprising: a memory; and logic, atleast a portion of which is comprised in circuitry coupled to thememory, the logic to: identify an intended target address for anindirect branch instruction; retrieve a predicted target address for theindirect branch instruction from a lookup table; compare the intendedtarget address to the predicted target address; and increment an invalidtarget address counter and enable execution tracking when the intendedtarget address differs from the predicted target address, executiontracking to track a number of instructions executed with an executioninstruction counter.
 27. The apparatus of claim 26, the logic to executethe indirect branch instruction when the invalid target address counteris below an invalid target address threshold.
 28. The apparatus of claim27, the logic to: identify a second intended target address for a secondindirect branch instruction; retrieve a second predicted target addressfor the second indirect branch instruction from the lookup table;compare the second intended target address to the second predictedtarget address; and increment the execution instruction counter when thesecond intended target address matches the second predicted targetaddress.
 29. The apparatus of claim 28, the logic to reset the invalidtarget address counter and the execution instruction counter when theexecution instruction counter is above an execution instructionthreshold.
 30. The apparatus of claim 29, the logic to disable executiontracking when the execution instruction counter is above the executioninstruction threshold.
 31. The apparatus of claim 28, the logic toexecute the second indirect branch instruction when the executioninstruction counter is below an execution instruction threshold.
 32. Theapparatus of claim 31, the logic to unlink a translation block whenexecution instruction counter is below the execution instructionthreshold.
 33. The apparatus of claim 26, the logic to initiate asecurity measure when the invalid target address counter is above aninvalid target address threshold, the security measure to protect acomputing device from a return-oriented programming attack.
 34. Theapparatus of claim 26, the indirect branch instruction comprising areturn instruction.
 35. The apparatus of claim 26, the logic to disablea function routine of a library when execution tracking is enabled. 36.A computer-implemented method, comprising: identifying an intendedtarget address for an indirect branch instruction; retrieving apredicted target address for the indirect branch instruction from alookup table; comparing the intended target address to the predictedtarget address; and incrementing an invalid target address counter andenabling execution tracking when the intended target address differsfrom the predicted target address, execution tracking to track a numberof instructions executed with an execution instruction counter.
 37. Thecomputer-implemented method of claim 36, comprising executing theindirect branch instruction when the invalid target address counter isbelow an invalid target address threshold.
 38. The computer-implementedmethod of claim 37, comprising: identifying a second intended targetaddress for a second indirect branch instruction; retrieving a secondpredicted target address for the second indirect branch instruction fromthe lookup table; comparing the second intended target address to thesecond predicted target address; and incrementing the executioninstruction counter when the second intended target address matches thesecond predicted target address.
 39. The computer-implemented method ofclaim 38, comprising resetting the invalid target address counter andthe execution instruction counter when the execution instruction counteris above an execution instruction threshold.
 40. Thecomputer-implemented method of claim 39, comprising disabling executiontracking when the execution instruction counter is above the executioninstruction threshold.
 41. The computer-implemented method of claim 38,comprising executing the second indirect branch instruction when theexecution instruction counter is below an execution instructionthreshold.
 42. The computer-implemented method of claim 41, comprisingunlinking a translation block when execution instruction counter isbelow the execution instruction threshold.
 43. The computer-implementedmethod of claim 36, comprising initiating a security measure when theinvalid target address counter is above an invalid target addressthreshold, the security measure to protect a computing device from areturn-oriented programming attack.
 44. The computer-implemented methodof claim 36, the indirect branch instruction comprising a returninstruction.
 45. The computer-implemented method of claim 36, comprisingdisabling a function routine of a library when execution tracking isenabled.
 46. At least one non-transitory computer-readable mediumcomprising a set of instructions that, in response to being executed bya processor circuit, cause the processor circuit to: identify anintended target address for an indirect branch instruction; retrieve apredicted target address for the indirect branch instruction from alookup table; compare the intended target address to the predictedtarget address; and increment an invalid target address counter andenable execution tracking when the intended target address differs fromthe predicted target address, execution tracking to track a number ofinstructions executed with an execution instruction counter.
 47. The atleast one non-transitory computer-readable medium of claim 46,comprising instructions that, in response to being executed by theprocessor circuit, cause the processor circuit to execute the indirectbranch instruction when the invalid target address counter is below aninvalid target address threshold.
 48. The at least one non-transitorycomputer-readable medium of claim 47, comprising instructions that, inresponse to being executed by the processor circuit, cause the processorcircuit to: identify a second intended target address for a secondindirect branch instruction; retrieve a second predicted target addressfor the second indirect branch instruction from the lookup table;compare the second intended target address to the second predictedtarget address; and increment the execution instruction counter when thesecond intended target address matches the second predicted targetaddress.
 49. The at least one non-transitory computer-readable medium ofclaim 48, comprising instructions that, in response to being executed bythe processor circuit, cause the processor circuit to reset the invalidtarget address counter and the execution instruction counter when theexecution instruction counter is above an execution instructionthreshold.
 50. The at least one non-transitory computer-readable mediumof claim 49, comprising instructions that, in response to being executedby the processor circuit, cause the processor circuit to disableexecution tracking when the execution instruction counter is above theexecution instruction threshold.